So, you have your foothold on a Windows 7 box. Setting aside the possibility of uploading our own tools, can we use a plain off-the-shelf copy of Windows 7 to poke around for a potential next stepping stone? With PowerShell, there isn't much we can't do.

Recall from earlier that we can pipe a number range into ForEach. So, if we're on a network with netmask 255.255.255.0, our range could be 1 through 255 piped into a ping command. Let's see it in action:

> 1..255 | % {echo "192.168.63.$_"; ping -n 1 -w 100 192.168.63.$_ | Select-String ttl}

Let's stroll down the pipeline. First, we define a range of numbers: an inclusive array from 1 to 255. This is input to the ForEach alias % where we run an echo command and a ping command, using the current value in the loop as the last decimal octet for the IP address. As you know, ping returns status information; this output is piped further down to Select-String to grep out the string ttl, as this is one way of knowing we have a hit (we won't see a TTL value unless a host responded to the ping request). Voila—a PowerShell ping sweeper. It's slow and crude, but we work with what is presented to us.

You might be wondering, if we have the access to fire off PowerShell, don't we have the access to meterpreter our way in and/or upload a tool set? Maybe, but maybe not—perhaps we have VNC access after cracking a weak password, but that isn't a system compromise or presence on the domain. Another possibility is the insider threat: someone left a workstation open, we snuck up and sat down at the keyboard, and one of the few things we actually have time for is firing off a PowerShell one liner. The pen tester must always maintain flexibility and keep an open mind.